Utility companies and hospitals are coming under increasing risk of cyberattack, according to a report by credit ratings agency Moody’s. In its first update to the Cyber Risk Heatmap since 2019, the agency found water companies were among the most at risk of any sector. While the financial reward for attacking a water or electricity company was relatively low, they often have minimal security measures in place, making them attractive targets.
The report looks at the cyber risk across more than 70 sectors of the economy, scoring each on a scale of low, moderate, high or very high risk of cybersecurity exposure, set against any mitigation taken by organisations in that sector.
Working with data gathered by BitSight Technologies, a cyber ratings company, the team of analysts found there had been a notable rise in mitigation since the previous report, with organisations investing in cybersecurity and risk management technologies.
Moody’s considered the level of debt within each sector to weigh the economic impact of any major cyberattack, finding that $22trn of the $80trn it rated has a high or very high cyber risk exposure. This is up about $1trn on the 2019 heat map on a similar level of rated debt.
The sectors most at risk weren’t necessarily those with the highest level of debt exposure or the most to lose financially but rather those least likely to have good risk mitigation in place.
“We scored water and waste water utilities as very high this year compared to a moderate in 2019,” Moody’s senior analyst and author of the report, Steven Libretti, told Tech Monitor. “While the very high score this year is not all that surprising, the movement itself is.”
Cyberattacks: low reward targets are at higher risk
Of the more than 70 sectors studied, Moody’s found the top four were all utilities and the fifth was not-for-profit hospitals, which Libretti says was likely due to them being attractive and high-profile targets for cybercriminals.
“When looking at these utilities, we find them to be often very small uncomplex entities that are highly attractive targets,” he explains. “They often have less advanced cyber risk mitigation strategies including less developed perimeter vulnerability management programs and less advanced cyber risk management practices.”
The utilities and hospitals were followed by banks, telecom companies, chemical suppliers and transportation services in terms of level of risk, with those in construction and agriculture at the lower end of the risk scale.
“Cyber risk is rising. However, we are witnessing correlated growth in robust security program investments, as industries prioritise the need to assess and quantify the risk to inform key strategy decisions, mitigate supply chain risk, and ensure investor confidence,” said Libretti.
Derek Vadala, chief risk officer for BitSight said it graded the risk by looking at open ports and patching cadence datasets within each sector. “Poor patching cadence, for example, is strongly correlated with a significantly higher risk of ransomware.”
“Continued focus on improving basic cyber hygiene and vulnerability management performance can measurably reduce the risk of experiencing a business-impacting incident,” Vadala added.
Digitisation poses cybersecurity risk
Moody’s had no way to directly measure investment in cybersecurity, but found that certain sectors were weaker than others using the BitSight analysis. The worst offenders were the utilities, education, media, entertainment and publishing companies.
Libretti wouldn’t be drawn on whether the predicted recession would have any impact on the level of investment made in cybersecurity or whether it would lead to a greater degree of cyberattack in future, but some future technologies could have an impact.
Three-quarters of the debt covered in the report was linked to sectors of the economy that scored high or very high on digitisation risk, this is risks linked to digital transformation of systems, processes, information and networks.
It gives the example of the cyberattack on SolarWinds in 2020 as a way a digitisation risk can affect one company and spread to other organisations. Attacks injected malicious code into a software update that SolarWinds sent out to customers, allowing the code to enter customers’ networks and giving the attackers access.
The sectors most at risk from the digitisation process are banks, technology and software companies, telecommunication companies and those working in insurance.